[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c

Tue Jun 29 04:12:04 UTC 2010

The following commit has been merged in the debian/unstable branch:
commit 64f4a84a13830c31011495ed5f91274df5e0d0da
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date:   Mon Jun 28 22:17:24 2010 -0400

    fix cve-2010-1773

diff --git a/WebCore/rendering/RenderListMarker.cpp b/WebCore/rendering/RenderListMarker.cpp
index d0353ee..6c8f769 100644
--- a/WebCore/rendering/RenderListMarker.cpp
+++ b/WebCore/rendering/RenderListMarker.cpp
@@ -101,8 +101,10 @@ static inline String toAlphabeticOrNumeric(int number, const UChar* sequence, in
     int length = 1;
 
     if (type == AlphabeticSequence) {
-        while ((numberShadow /= sequenceSize) > 0)
-            letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize - 1];
+        while ((numberShadow /= sequenceSize) > 0) {
+            --numberShadow;
+            letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
+        }
     } else {
         while ((numberShadow /= sequenceSize) > 0)
             letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
diff --git a/debian/changelog b/debian/changelog
index 036196a..85ed064 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,7 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
     ibm1147 character set.
   * Fix cve-2010-1771: possible code execution due to improper font handling.
   * Fix cve-2010-1772: geolocation disconnectframe timer issue.
+  * Fix cve-2010-1773: integer overflow in alphabet conversion.
     element.
 
  -- Michael Gilbert <michael.s.gilbert at gmail.com>  Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1762.patch b/debian/patches/cve-2010-1762.patch
new file mode 100644
index 0000000..e44e98f
--- /dev/null
+++ b/debian/patches/cve-2010-1762.patch
@@ -0,0 +1,21 @@
+description: fix cve-2010-1762
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/59241
+Index: webkit-1.2.1/WebCore/editing/markup.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/editing/markup.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/editing/markup.cpp	2010-06-28 22:02:20.000000000 -0400
+@@ -404,10 +404,12 @@
+             if (Node* parent = node->parentNode()) {
+                 if (parent->hasTagName(scriptTag)
+                     || parent->hasTagName(styleTag)
+-                    || parent->hasTagName(textareaTag)
+                     || parent->hasTagName(xmpTag)) {
+                     appendUCharRange(result, ucharRange(node, range));
+                     break;
++                } else if (parent->hasTagName(textareaTag)) {
++                    appendEscapedContent(result, ucharRange(node, range), documentIsHTML);
++                    break;
+                 }
+             }
+             if (!annotate) {
diff --git a/debian/patches/cve-2010-1773.patch b/debian/patches/cve-2010-1773.patch
new file mode 100644
index 0000000..2a936de
--- /dev/null
+++ b/debian/patches/cve-2010-1773.patch
@@ -0,0 +1,20 @@
+description: fix cve-2010-1773
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/59950
+Index: webkit-1.2.1/WebCore/rendering/RenderListMarker.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderListMarker.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderListMarker.cpp	2010-06-28 22:16:48.000000000 -0400
+@@ -101,8 +101,10 @@
+     int length = 1;
+ 
+     if (type == AlphabeticSequence) {
+-        while ((numberShadow /= sequenceSize) > 0)
+-            letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize - 1];
++        while ((numberShadow /= sequenceSize) > 0) {
++            --numberShadow;
++            letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
++        }
+     } else {
+         while ((numberShadow /= sequenceSize) > 0)
+             letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
diff --git a/debian/patches/series b/debian/patches/series
index c6d3dc4..bdceb85 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@ cve-2010-1762.patch
 cve-2010-1770.patch
 cve-2010-1771.patch
 cve-2010-1772.patch
+cve-2010-1773.patch

-- 
WebKit Debian packaging

